From Certificates to AI Agents: Governing Machine Identity in Higher Education

Reflections from the UCISA Leadership Conference

By Tom Eggleston, CEO at ProofID

At this year’s UCISA Leadership Conference, we hosted a breakfast briefing exploring a topic that is quickly becoming one of the most important issues facing university IT leaders: 

Machine identity governance. 

The session — “From Certificates to AI Agents: Governing Machine Identity in Higher Education” — brought together industry experts ProofID’s Patrick Maginn and Tommy Roberts from CyberArk to discuss how the identity landscape inside universities is changing. 

Two drivers are accelerating that change. 

First, the dramatic reduction in TLS certificate lifespans to 47 days. 
Second, the emergence of AI agents acting autonomously within digital environments. 

Individually these shifts are significant. Together, they represent a fundamental change in how universities must approach identity security.

Higher Education Already Runs on Identity

Universities have always been complex identity environments. 

Students, academics, researchers, alumni and partners all require secure access to digital services. On top of that sits federated access, cloud platforms, research infrastructure and countless internal applications. 

But increasingly, the identities accessing these systems are not human. 

Machine identities now include: 

• TLS certificates

• APIs and services

• Automation scripts and workloads

• Containers and cloud infrastructure

• Research platforms

• and increasingly, AI agents

Across large organisations, machine identities can outnumber human identities by as much as 80 to 1. 

Many of these identities have grown organically over time. In numerous institutions, they exist without full visibility, governance or lifecycle control. 

That creates risk today — and the scale of the challenge is about to increase.

Why the 47-Day Certificate Lifecycle Matters

One of the biggest catalysts discussed during our UCISA session was the move toward much shorter TLS certificate lifespans. 

Over time, certificates will have a maximum validity of 47 days. On the surface this sounds like a technical adjustment, but the operational implications are substantial. 

Universities that once renewed certificates annually will soon face continuous renewal cycles. 

If those processes remain manual, the workload quickly becomes unsustainable. More importantly, expired certificates remain one of the most common causes of service disruption. 

During the session, Patrick Maginn shared an insight from our work across customer environments: 

"Around 50% of P1 and P2 outage we've investigated over the past two years have been linked to certificate mismanagement." 

"Roughly one third of all support tickets raised relate to certificate issues. "

Tommy Roberts reinforced how widespread this issue is across the industry. Drawing on support data from Palo Alto Networks environments, he highlighted that:

Our audience confirmed that they had all experienced outages in their institutions. 

"Taken together, these statistics illustrate just how often certificates sit at the heart of operational disruption."

For universities, certificate-related outages can affect critical systems including:

• student portals

• enrollment and clearing systems

• research infrastructure

• authentication platforms 

When these services go offline unexpectedly, the consequences extend beyond IT operations to the wider student and academic experience. 

This is why the certificate lifespan change should not simply be viewed as a compliance issue. 

It should be seen as a catalyst to modernise machine identity governance. 

The Hidden Scale of Machine Identity

One of the most revealing questions during the discussion was simple: 

What happens when a university truly looks for all its machine identities? 

The answer is often surprising. Across complex digital estates we regularly see: 

• thousands of TLS certificates

• thousands more secrets and credentials

• service accounts embedded across applications

• APIs connecting internal and external systems

• automated research workloads running in the cloud 

Without visibility and governance, these identities are difficult to track, rotate, monitor or secure. 

And the number of identities will continue to grow as institutions adopt automation and AI-driven services. 

The first challenge many universities face is not security tooling — it's visibility.

"When we asked the audience, none could confidently confirm how many machine identities existed across their institutions."

If you don’t know an identity exists, you cannot secure it. 

Turning a Compliance Problem into a Strategic Opportunity

Rather than viewing the certificate change as an operational burden, universities have an opportunity to use it as a trigger for broader identity modernisation. 

During our discussion we talked about a practical progression that institutions can follow: 

Discover 
Identify every certificate and machine identity across the estate. 

Govern 
Establish clear ownership, policies and lifecycle controls. 

Automate 
Implement automated certificate management and renewal processes. 

Automation is essential in a world of 47-day certificates. But the real value comes when automation is supported by governance and visibility. 

That is how organisations move from reactive certificate management toward structured machine identity security. 

AI Agents Are the Next Wave of Machine Identity

While certificate management is an immediate operational challenge, the longer-term transformation is the rise of AI agents. 

Audience insight: Nearly half of the institutions in the room are already piloting or actively rolling out Agentic AI.

Universities are already experimenting with AI across areas such as: 

• student services

• administrative workflows

• research automation

• academic productivity tools 

The next evolution is AI agents capable of performing tasks autonomously. 

In many ways, these systems behave like digital employees. 

They request access to systems. They execute workflows. They interact with applications and data. 

And that raises a fundamental governance question: 

Who manages the identity of the AI agent? 

Without proper identity controls, AI agents can introduce new security risks, including unmanaged privileges, uncontrolled system access and a lack of accountability for automated actions. 

That is why identity governance must evolve alongside AI adoption. 

The Identity Foundations Universities Need Before AI Scales

During the UCISA session, we discussed what universities should prioritise as they begin planning for AI agents over the next few years. 

The five-pillar model for Agentic AI should be seen as a natural evolution of the machine identity model — Discover → Govern → Automate — with the key point being that the first two steps remain fundamental: 

Building on that foundation, a useful framework for AI is: 

These pillars provide the structure needed to manage machine identities and AI agents securely at scale. 

Key capabilities include: 

• automated certificate management

• secrets management

• privileged access controls for machines and workloads

• identity lifecycle governance

• monitoring and behavioural visibility

• MCP gateway architecture for AI integration control and observability 

The institutions that ultimately succeed with AI will not necessarily be those that move fastest. 

They will be those that build the right identity foundations first. Sometimes the most effective strategy is to slow down to scale securely later. 

Where Universities Can Start

For many institutions, the most practical first step is gaining visibility into their certificate landscape. 

To support universities beginning this journey, we are offering a complimentary certificate discovery assessment. 

This assessment helps institutions: 

• discover TLS certificates across their environment

• identify potential expiry risks

• understand opportunities for automation 
  

Alongside this, universities beginning to explore AI adoption can also benefit from structured identity planning. 

We are currently offering a limited number of Agentic AI Advisory sessions designed specifically for higher education environments. .

These working sessions help institutions: 

• map their machine identity landscape

• assess readiness for certificate automation

• identify AI agent identity risks

• develop a practical governance roadmap

The Bigger Picture

Universities operate some of the most complex digital environments anywhere. 

For years, identity governance focused primarily on people. But the balance is shifting rapidly. 

Machine identities — and increasingly AI agents — are becoming the dominant identity type within modern university environments. The institutions that succeed will be those that recognise this shift early and build the governance frameworks required to manage it. 

Because in an AI-enabled campus, identity will be the foundation of trust. 

And that makes machine identity governance one of the most strategic capabilities universities can invest in today.